YARN-7361. Improve the docker container runtime documentation. Contributed by Shane Kumpf

(cherry picked from commit fac72eef23)
This commit is contained in:
Jason Lowe 2017-11-15 12:32:02 -06:00
parent 9229fb3523
commit e4344d45cb
1 changed files with 21 additions and 5 deletions

View File

@ -17,11 +17,15 @@ Launching Applications Using Docker Containers
<!-- MACRO{toc|fromDepth=0|toDepth=1} -->
Notice
------
This feature is experimental and is not complete. Enabling this feature and
running Docker containers in your cluster has security implications.
Please do a security analysis before enabling this feature.
Security Warning
---------------
**IMPORTANT** This feature is experimental and is not complete. **IMPORTANT**
Enabling this feature and running Docker containers in your cluster has security
implications. With this feature enabled, it may be possible to gain root access
to the YARN NodeManager hosts. Given Docker's integration with many powerful
kernel features, it is imperative that administrators understand
[Docker security](https://docs.docker.com/engine/security/security/) before
enabling this feature.
Overview
--------
@ -152,6 +156,18 @@ The following properties should be set in yarn-site.xml:
privileged contains if privileged containers are allowed.
</description>
</property>
<property>
<name>yarn.nodemanager.runtime.linux.docker.capabilities</name>
<value>CHOWN,DAC_OVERRIDE,FSETID,FOWNER,MKNOD,NET_RAW,SETGID,SETUID,SETFCAP,SETPCAP,NET_BIND_SERVICE,SYS_CHROOT,KILL,AUDIT_WRITE</value>
<description>
Optional. This configuration setting determines the capabilities
assigned to docker containers when they are launched. While these may not
be case-sensitive from a docker perspective, it is best to keep these
uppercase. To run without any capabilites, set this value to
"none" or "NONE"
</description>
</property>
</configuration>
```